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Abstract 

A  type  system  is  given  that  eliminates  two  kinds  of 
covert  flows  in  an  imperative  programming  language. 
The  first  kind  arises  from  nontermination  and  the  other 
from  partial  operations  that  can  raise  exceptions.  The 
key  idea  is  to  limit  the  source  of  nontermination  m 
the  language  to  constructs  with  minimum  typings,  and 
to  evaluate  partial  operations  within  expressions  of  try 
commands  which  also  have  minimum  typings.  A  mu¬ 
tual  progress  theorem  is  proved  that  basically  states  that 
no  two  executions  of  a  well-typed  program  can  be  distin¬ 
guished  on  the  basis  of  nontermination  versus  abnormal 
termination  due  to  a  partial  operation.  The  proof  uses 
a  new  style  of  programming  language  semantics  which 
we  call  a  natural  transition  semantics. 


1.  Introduction 

In  [9],  we  gave  a  type  system  for  secure  information 
flow  in  a  core  imperative  language.  The  type  system  is 
composed  of  a  set  of  types  and  typing  rules  for  deducing 
the  types  of  expressions  and  commands.  Types  corre¬ 
spond  to  partially-ordered  security  classes  like  low  (!) 
and  high  (H),  where  L  <  H.  The  ordering  is  the  basis 
for  a  subtype  relation  which  allows  upward  information 
flows.  We  proved  a  form  of  noninterference  for  the  type 
system.  However,  the  system  does  not  address  covert 
flows  in  programs  that  arise  from  nontermination  and 
partial  operations. 

To  illustrate  these  kinds  of  flows,  we  give  part  of  the 
thread  bodies  of  two  Java  applets  that  merely  prompt 
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a  client  for  a  password  via  a  text  Held.  The  first  applet 
creates  an  inspector  thread  for  each  character  in  the 
password.  Part  of  the  inspector  thread  body  is  given 
in  Figure  1.  It  loops  indefinitely  when  it  discovers  the 


while  (p.charAt(i)  ==  'a') 

ps.printlnfi  +  ”  not  a”); 
while  (p.charAt(i)  ==  'b') 

ps.printlnfi  +  ”  not  b”); 

Figure  1.  Covert  Flow  from  Nontermination 

character  stored  at  position  i.  Until  then,  it  records  the 
characters  it  has  examined  by  opening  a  socket  connec¬ 
tion  back  to  another  port  on  the  server  from  which  the 
applet  originated.  This  connection  is  permitted  under 
the  current  “sandbox”  model  of  Java  security.  A  sim¬ 
ilar  inspector  thread  body  can  be  designed  to  reveal 
a  password  using  a  partial  operation.  Part  of  such  a 
body  is  given  in  Figure  2.  It  uses  division  and  fails  to 


if  (l/(p.charAt(i)  —  'a')  ==  0) 

ps.printlnfi  +  ”  not  a”); 
if  (l/(p.charAt(i)  -  V)  ==  0) 

ps.printlnfi  +  ”  not  b”); 

Figure  2.  Covert  Flow  from  a  Partial  Operation 

catch  the  arithmetic  exception.  The  thread  bodies  of 
the  preceding  examples  are  well  typed  in  our  original 
secure-flow  type  system. 
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pressions,  and  c  over  commands: 


We  show  how  these  kinds  of  covert  flows  can  be  han¬ 
dled  with  just  a  simple  modification  to  our  original  type 
system  based  on  the  notion  of  a  minimum  type.  We  say 
that  a  type  r  is  minimum  if  r  <  r'  for  every  type  r'. 
To  handle  the  covert  flow  arising  from  nontermination, 
we  merely  change  the  typing  rule  for  while  e  do  c  to 
require  that  e  have  minimum  type.  Similarly,  we  in¬ 
troduce  a  try  command  for  each  partial  operation  and 
type  the  command  minimally.  Now,  the  variable  c,  in 
the  examples  above,  would  not  have  minimum  type,  so 
the  thread  bodies  would  not  be  well  typed  since  neither 
could  be  typed  minimally. 

The  new  typing  rules  allow  us  to  prove  theorems 
about  covert  flows.  Our  first  covert-flow  theorem  estab¬ 
lishes  the  property  of  termination  agreement  for  well- 
typed  programs.  It  is  proved  with  respect  to  a  natural, 
or  “big-step”,  semantics.  Termination  agreement  is  a 
somewhat  weaker  statement  about  covert  flow  than  we 
desire.  This  will  lead  us  to  a  second  theorem  that  es¬ 
tablishes  a  stronger  property  for  well-typed  programs, 
namely  mutual  progress. 

To  prove  mutual  progress,  we  need  a  transitional, 
or  “small-step” ,  style  of  semantics  in  order  to  make 
statements  about  partial  executions.  We  use  a  form  of 
transition  semantics  for  this  purpose  which  we  call  a 
natural  transition  semantics  (NTS)  [7].  It  is  derivable 
directly  from  our  natural  semantics. 

Soundness  and  completeness  of  the  NTS,  with  re¬ 
spect  to  the  natural  semantics,  allows  us  to  switch  from 
one  semantic  style  to  the  other  where  appropriate.  The 
proof  of  mutual  progress,  for  instance,  depends  on  ter¬ 
mination  agreement  which  can  be  proved  more  easily  in 
the  natural  semantics  than  in  the  NTS  since  a  natural 
semantics  is  well  suited  for  reasoning  about  complete 
evaluation  derivations.  So  we  jump  out  of  the  progress 
proof,  by  NTS  soundness,  to  get  termination  agree¬ 
ment,  which  is  proved  in  the  natural  semantics,  and 
then  re-enter,  by  NTS  completeness,  to  carry  out  the 
progress  proof. 

Finally,  we  consider  a  more  restrictive  type  system 
that  also  requires  conditionals  to  be  typed  minimally. 
Then  we  get  an  even  stronger  covert-flow  result  that 
basically  rules  out  covert  timing  channels  in  programs. 
That  is,  no  two  executions  of  a  well-typed  program  can 
be  distinguished  by  timing  differences. 

2.  The  Type  System 

The  core  language  we  consider  consists  of  phrases, 
each  of  which  is  either  an  expression  or  a  command. 
We  let  metavariable  p  range  over  phrases,  e  over  ex¬ 


p  ::=  e  \  c 

e  ::=  x  \  l  \  n  \  e  +  e'  \  e  —  e' 

|  e  =  e'  |  e  <  d 

c  ::=  e  :=  e'  |  c;  c' 

|  if  e  then  c  else  d 
|  while  e  do  c 
|  letvar  x  :=  e  in  c 
|  try  x  =  e  -P  e'  in  c 

Metavariable  x  ranges  over  identifiers,  l  over  locations, 
and  n  over  integer  literals.  Integers  are  the  only  val¬ 
ues.  We  use  0  for  false  and  1  for  true,  and  assume 
that  locations  are  well  ordered.  All  program  I/O  is 
done  through  free  locations  in  a  program.  The  core 
language  includes  a  try  command  for  one  partial  oper¬ 
ation,  namely,  integer  division.  The  scope  of  x  in  a  try 
command  is  c.  Other  partial  operations  can  be  intro¬ 
duced  in  the  same  fashion.  We  want  to  consider  only 
those  programming  constructs  that  are  fundamental  to 
a  treatment  of  covert  flows  in  an  imperative  language. 
For  this  reason,  procedures  and  an  assortment  of  other 
language  features,  such  as  arrays,  are  not  included. 

Notice  that  try  commands  do  not  have  catch 
clauses  for  exception  handling.  A  command  like 

try  x  =  e  -P  e'  in  c  catch  d 

introduces  an  implicit  flow  from  e  and  d  to  d  that 
can  be  handled  with  a  typing  rule  like  those  for  any 
guarded  commands.  Here,  we  focus  on  the  case  where 
exceptions  are  not  caught  and  therefore  do  not  consider 
try-catch  commands. 

As  in  our  earlier  type  system,  the  types  of  the  core 
language  are  stratified: 

r  ::=  s 

p  ::=  r  |  r  var  |  r  cmd 

Metavariable  s  ranges  over  security  classes,  which  we 
assume  are  partially  ordered  by  <.  Type  r  var  is  the 
type  of  a  variable  and  r  cmd  is  the  type  of  a  command. 

The  typing  rules  for  the  core  imperative  language 
are  given  in  Figure  3.  They  form  a  deductive  proof  sys¬ 
tem  for  assigning  types  to  expressions  and  commands. 
They  are  given  in  a  syntax-directed  form  and  are  equiv¬ 
alent  to  a  more  flexible  system  where  coercions  can  be 
applied  more  freely.  Typing  rules  for  some  expressions 
are  omitted  since  they  are  similar  to  rule  (arith). 

Typing  judgements  have  the  form 

\;j\~p:p 

where  A  is  a  location  typing  and  7  is  an  identifier  typ¬ 
ing .  The  judgement  means  that  phrase  p  has  type  p, 


(int) 

A;  7  b  n  :  t 

(var) 

A;  7  b  x  :  t  var  j(x)  =  r  var 

(VARLOC) 

A;  7  b  /  :  r  var  A (/)  =  r 

(arith) 

A;  7  b  e  :  r, 

A;  7  b  e'  :  t 

A;  7  b  e  +  e'  :  t 

(r-val) 

A;  7  b  e  :  t  var, 
t  <  t' 

A;  7  b  e  :  t' 

(assign) 

A;  7  b  e  :  t  var, 

A;  7  b  e'  :  t, 

T1  <  T 

A;  7  b  e  :=  e'  :  r'  cmrf 

(compose) 

A;  7  b  c  :  r  cmd, 

A;  7  b  c'  :  t  cmd 

A;  7  b  c;  c'  :  r  cmd 

(if) 

A;  7  b  e  :  t, 

A;  7  b  c  :  t  cmd, 

A;  7  b  c'  :  t  cmd, 
t'  <  T 

A;  7  b  if  e  then  c  else  c'  :  t' 

cmd 

(try) 

A;  7  b  e  :  t, 

A;  7  b  e'  :  t, 

A;  j[x  :  r]  b  c  :  r  cmd, 
t  is  minimum 

A;  7  b  try  x  =  e  -7  e'  in  c  :  r 

cmd 

(while) 

A;  7  b  e  :  r, 

A;  7  b  c  :  r  cmd, 
t  is  minimum 

A;  7  b  while  e  do  c  :  r  cmd 

(letvar) 

A;  7  b  e  :  t, 

A;  j[x  :  t  var]  b  c  :  r'  cmd 

A;  7  b  letvar  x  :=  e  in  c  :  t' 

cmd 

Figure  3.  Typing  Rules  for  Eliminating  Covert  Flows 
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assuming  A  prescribes  types  for  locations  in  p  and  7 
prescribes  types  for  any  free  identifiers  in  p.  An  identi¬ 
fier  typing  is  a  finite  function  mapping  identifiers  to  p 
types;  7 (x)  is  the  p  type  assigned  to  x  by  7  and  j[x  :  p] 
assigns  type  p  to  x  and  to  variable  x'  yt  x,  type  j(x'). 
If  7  is  dropped  from  a  judgement,  as  in  A  b  p  :  p,  then 
it  is  assumed  to  be  empty.  A  location  typing  is  also  a 
finite  function,  but  it  maps  locations  to  r  types.  The 
notational  conventions  for  location  typings  are  similar. 

One  can  understand  the  intuition  behind  our  type 
system  as  follows:  in  a  guarded  command  like 
while  e  do  c,  whenever  c  is  executed,  it  is  known  that 
e  was  true.  Hence,  if  e  :  H ,  then  c  must  not  assign 
to  any  variables  of  class  L,  for  such  assignments  would 
constitute  an  illegal  downward  flow.  The  typing  rule 
therefore  requires  that  c  in  this  case  have  type  H  cmd, 
which  means  that  it  only  assigns  to  variables  of  class  H . 
However,  assigning  to  variables  is  not  the  only  way  for 
a  command  to  transmit  information — a  command  can 
also  transmit  information  by  failing  to  terminate  or  by 
aborting.  Such  failed  executions  transmit  information 
(covertly)  to  an  outside  observer  of  the  program’s  ex¬ 
ecution,  who  must  be  regarded  as  L.  To  prevent  such 
downward  covert  flows,  we  require  that  the  sources  of 
failed  executions  (i.e.  the  guard  of  a  while  loop  and 
the  denominator  of  a  division  in  a  try  command)  have 
minimum  type.1  The  new  restrictions  on  while  and 
try  ensure  that  executing  a  command  of  type  H  cmd 
does  not  transmit  covert  information  to  an  outside  ob¬ 
server,  because  the  command  is  guaranteed  to  termi¬ 
nate  successfully. 

Of  course,  this  does  not  rule  out  timing  channels, 
which  use  program  execution  time  to  transmit  infor¬ 
mation  to  the  outside  observer.  In  our  final  covert- 
flow  theorem  in  Section  5,  we  consider  eliminating  tim¬ 
ing  channels  by  also  requiring  the  guard  of  conditional 
commands  to  have  minimum  type.  But  this  may  make 
the  type  system  too  restrictive  to  be  practical.  More 
experience  is  needed  to  be  sure. 

3.  Our  First  Covert-Flow  Theorem 

Our  first  covert-flow  theorem  is  expressed  with  re¬ 
spect  to  a  natural  semantics  for  closed  phrases  in  the 
core  language.  A  closed  phrase  is  evaluated  relative  to 
a  memory  p,  which  is  a  finite  function  from  locations 
to  values.  The  contents  of  a  location  l  £  dom(p)  is 
the  value  p(l),  and  we  write  p[l  :=  n]  for  the  memory 
that  assigns  value  n  to  location  l,  and  value  p{lr)  to  a 
location  /'  yt  /;  p[l  ~  n]  is  an  update  of  p  if  /  £  dom(p) 
and  an  extension  of  p  otherwise. 

1For  simplicity,  we  also  require  the  numerator  of  a  division  to 
have  minimum  type.  This  restriction  can  be  relaxed. 


The  evaluation  rules  are  given  in  Figure  4.  They 
allow  us  to  derive  judgements  of  the  form  p  \~  e  n 
for  expressions  and  p  b  c  =7  p'  for  commands.  Eval¬ 
uating  a  closed  expression  e  in  a  memory  p  results  in 
an  integer  n.  Expressions  are  pure  in  that  they  do 
not  alter  memory  when  evaluated.  Evaluating  a  closed 
command  c  in  a  memory  p  results  in  a  new  memory 
p' .  Commands  do  not  yield  values. 

We  write  [e/x\c  to  denote  the  substitution  of  e  for 
all  free  occurrences  of  x  in  c,  and  let  p  —  l  be  memory  p 
with  location  l  deleted  from  its  domain.  Note  the  use 
of  substitution  in  rules  (div)  and  (bindvar).  It  allows 
us  to  avoid  using  environments  in  the  semantics. 

3.1.  Termination  Agreement 

Now  we  can  state  our  first  covert-flow  theorem: 

Theorem  3.1  (Termination  Agreement)  Suppose 

(a)  Ah  c  :  p, 

(b)  (ihc=>  p' , 

(c)  v  is  a  memory  such  that  dom(p)  =  dom(v)  = 
dom(X),  and 

( d )  v(l)  =  p(l)  for  all  l  such  that  A (/)  <  r. 

Then  there  is  a  memory  v'  such  that  v  b  c  =7  v'  and 
v'{l)  =  p' (l)  for  all  l  such  that  A (/)  <  r. 

An  alternative  statement  of  the  theorem  is  if  a  com¬ 
mand  c  is  well  typed,  and  p  and  v  are  memories  such 
that  (c)  and  ( d )  are  true,  then  either 

1.  c  fails  to  terminate  successfully  under  p  and  v,  or 

2.  c  terminates  successfully  under  p  and  v  and  the 
resulting  memories  agree  on  all  locations  whose 
types  are  bounded  by  r. 

The  theorem  departs  from  the  noninterference  theorem 
of  [9]  in  that  it  does  not  require  c  to  terminate  success¬ 
fully  under  both  p  and  v.  There  is  a  hypothesis  about 
the  successful  termination  of  c  under  p  only.  With  the 
remaining  hypotheses,  it  is  enough  to  ensure  that  c  also 
terminates  successfully  under  v. 

Before  proving  the  theorem,  we  need  a  number  of 
lemmas.  The  first  four  lemmas  are  taken  from  our  ear¬ 
lier  work  [9].  They  can  be  proved  for  the  typing  rules 
in  Figure  3  as  well. 

Lemma  3.2  (Simple  Security)  If  A  b  e  :  t,  then 
for  every  l  in  e,  A (/)  <  r. 
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I  G  dom(fi) 


(val) 

(contents) 

(add) 

(update) 

(sequence) 

(branch) 


(div) 


(loop) 


(bindvar) 


H  \-  n  n 

/jhl=>  fl(l) 

fi\-  e  =>  n,  fi  b  e'  =>  n' 
fi\~e  +  e'  =^n  +  n' 


fi\-  e  =>  n 

/ih(  :=e=>  fi[l  :=  n] 


l  G  dom(fi) 


H  b  c  =>  fi' ,  fi'  b  c'  =>  fi" 
H  b  c;  c'  =>  fi" 


H  b  e  =>  n,  (n  nonzero) 
fi\~  c  =?  fl' 

fi  b  if  e  then  c  else  c'  =>  fj! 


/ihe=>0, 

/i  h  c'  =>  /j' 

fi  b  if  e  then  c  else  c'  =>  fj! 


/ihc=>n, 

H  b  e'  =>  n',  (n1  nonzero) 
fi  b  [(n  Ln')/r]c  =>  fj! 

H  b  try  i  =  e  S-  e'  in  c  /i' 


/ihe=>0 

fi  b  while  e  do  c  =>  fi 

/ibc=>n,  (n  nonzero) 
/i  b  c  =>  /, 

fj!  b  while  e  do  c  =>  fj," 
H  b  while  e  do  c  =>  fj," 


/ibc=>n, 

/  is  the  least  location  not  in  (Jom(fi), 

n[l  :=  n]  b  [l/x\c  =>  fj! 

fi  b  letvar  x  :=  e  in  c  fi'  —  l 


Figure  4.  Core  Language  Natural  Semantics 
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Lemma  3.3  (Confinement)  If  A;  7  b  c  :  r  emrf, 
then  for  every  l  assigned  to  in  c,  A (l)  >  r. 

Lemma  3.4  (Expression  Substitution)  If  \;j[x  : 
r]  b  p  :  p,  then  A;  7  b  [n/x\p  :  p,  and  if  A;  7  b  /  :  p  and 
A;  j[x  :  p\  b  p  :  p' ,  then  A;  7  b  [1  / x\p  :  p' . 

Lemma  3.5  If  p  \~  c  =7  p' ,  then  dom(p)  =  dom(p'). 

We  introduce  the  following  lemmas,  each  of  which 
can  be  proved  by  induction  on  phrase  structure. 

Lemma  3.6  (Determinism)  Suppose  v(I)  =  p(l), 
for  every  l  in  e,  p  b  e  =7  n,  and  v  b  e  =7  n' .  Then 
n  =  n! . 

Lemma  3.7  Suppose  A  b  e  :  r  and  p  is  a  memory 
such  that  dom(p)  =  dom( A).  Then  there  is  an  integer 
n  such  that  p  \~  e  =7  n. 

Lemma  3.8  If  A;  7  b  c  :  r  cmd  and  c  contains  an 
occurrence  of  while  or  try,  then  r  is  minimum. 

Lemma  3.9  Suppose  A  b  c  :  r  cmd  and  c  does  not 
contain  an  instance  of  while  or  try,  and  p  is  a  mem¬ 
ory  such  that  dom(p)  =  dom( A).  Then  there  is  a  mem¬ 
ory  p'  such  that  p  \~  c  =7  p' . 

Notice  the  purely  syntactic  hypotheses  under  which 
termination  is  guaranteed  in  Lemma  3.9.  Limiting  par¬ 
tial  recursion  to  typed  commands  in  a  language  ( e.g . 
while  or  letrec)  makes  it  easier  to  get  a  sound  and 
practical  type  system  to  control  covert  flows.  Some 
programming  language  features  make  it  much  harder 
to  achieve  such  a  system.  For  example,  some  people 
have  proposed  extending  Java  with  higher-order  func¬ 
tions.  In  the  context  of  an  imperative  language,  such 
as  Java,  higher-order  functions  make  recursion  possible 
through  circularity  in  memory:  one  can  bind  a  variable 
to  a  function  containing  a  free  occurrence  of  that  vari¬ 
able  [8].  Such  an  extension  makes  it  harder  for  the 
type  system  to  be  aware  of  potentially  nonterminating 
programs,  and  yet  be  flexible. 

Typing  the  while  and  try  commands  minimally 
prevents  them  from  taking  different  execution  paths 
under  two  memories  that  agree  on  locations  with  min¬ 
imum  type.  A  conditional,  however,  is  still  free  to  take 
different  execution  paths  under  two  such  memories. 

The  proof  of  the  termination  agreement  theorem  re¬ 
sembles  the  proof  of  noninterference  in  [9].  It  proceeds 
by  induction  on  the  structure  of  p  b  c  =7  p' .  We  give 
the  proof  for  one  of  the  more  interesting  cases,  namely, 
evaluation  rule  (branch).  The  remaining  evaluation 
rules  are  treated  similarly. 


(branch).  Suppose  p  b  if  e  then  c  else  c'  =7  p' 
and  the  typing  derivation  ends  with  an  application  of 
rule  (if): 

Abe:r', 

A  b  c  :  t'  cmd, 

A  b  c'  :  t'  cmd , 

s' 

T  <.  T 

A  b  if  e  then  c  else  d  :  t"  cmd 
There  are  two  cases: 

1.  t1  <  t.  Then  suppose  the  evaluation  under  p  ends 
with  the  second  rule  for  (branch): 

p  b  e  =7  0 
p\~  d  =7  p! 

p  b  if  e  then  c  else  d  =7  p’ 

By  the  simple  security  lemma,  A (/)  <  r'  for  every  l 
in  e  and  so  A (/)  <  r  for  every  /  in  e.  By  hypothesis 
( d )  then,  v(I)  =  p(I)  for  every  l  in  e,  and  thus 
1/  b  e  =7  0  by  Lemmas  3.6  and  3.7.  By  induction 
there  is  a  memory  v’  such  that  v  b  d  =7  v’  and 
v'(I)  =  p'(l)  for  all  l  such  that  A (/)  <  r.  Then 
v  b  if  e  then  c  else  d  =7  v'  by  the  second  rule 
for  (branch).  Evaluation  under  p  ending  with 
the  first  rule  for  (branch)  is  handled  similarly. 

2.  t'  t.  Then  r'  is  not  minimum,  and  thus  by 
Lemma  3.8,  neither  c  nor  d  contains  an  occurrence 
of  while  or  try.  So  there  is  a  memory  v'  such 
that  v  b  if  e  then  c  else  d  =7  v'  by  Lemma  3.9. 
By  the  Confinement  Lemma,  A (/)  >  r'  for  every  l 
assigned  to  in  c  or  d .  Thus  for  every  l  assigned  to 
in  c  or  d ,  A (/)  r  since  otherwise  r'  <  r.  So  if 
l  G  dom( A)  and  A (/)  <  r,  then  l  is  not  assigned  to 
in  con/.  So  p'(l)  =  p{l)  and  v'(l)  =  v{I)  for  all  l 
such  that  A (/)  <  r,  and  we’re  done  by  ( d ). 

4.  Our  Second  Covert-Flow  Theorem 

Termination  agreement  is  still  a  somewhat  weaker 
statement  than  we  want  about  what  the  type  sys¬ 
tem  actually  guarantees  in  terms  of  protection  against 
covert  flows.  It  says  that  if  c  does  not  terminate  suc¬ 
cessfully  under  one  memory  then  it  doesn’t  terminate 
successfully  under  the  other  memory  either.  So  the  two 
executions  cannot  be  distinguished  by  one  of  them  ter¬ 
minating  successfully  and  the  other  failing  to  do  so. 
But  what  about  distinguishing  nontermination  from 
abnormal  termination?  The  theorem  does  not  rule  out 
the  possibility  that  c  fails  to  terminate  under  one  mem¬ 
ory  and  gets  stuck  (aborts)  under  the  other. 
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For  example,  suppose  location  l  ranges  over  0  and  1 
and  that  l  £  dom(p)  and  l  £  dom(v).  Now  if  p  and  v 
agree  on  all  locations  of  minimum  type,  then 

try  z  =  2  -£  /  in 

while  (7  >  0)  do  ; 

may  get  stuck  under  p  yet  fail  to  terminate  under  v  if 
l  does  not  have  minimum  type.  These  two  executions 
can  be  distinguished.  What  we  want  to  show  yet  is 
that  if  a  command  c  is  well  typed  and  it  fails  to  ter¬ 
minate  successfully  in  some  way  under  p,  then  it  also 
fails  to  terminate  successfully  in  the  same  way  under 
v.  Stated  in  another  way,  execution  of  c  under  v  makes 
progress  iff  its  execution  under  p  does.  This  brings  us 
to  our  second  covert-flow  theorem:  the  mutual  progress 
theorem.  However,  before  we  can  state  and  prove  the 
theorem,  we  need  another  form  of  semantics. 

A  natural  semantics  allows  us  to  state  properties 
about  successful  or  complete  program  executions,  not 
partial  ones.  So  it  is  not  suited  for  proving  properties 
about  intermediate  steps  of  a  computation  like  progress 
theorems.  For  this,  we  use  a  new  form  of  semantics 
which  we  call  a  natural  transition  semantics  (NTS)  be¬ 
cause  it  is  derived  directly  from  the  natural  semantics 
[7].  Unlike  the  treatment  of  NTS  in  [7],  here  it  is  for¬ 
mulated  as  a  set  of  transition  rules.  These  rules  admit 
proofs  of  properties  about  a  single  transition  by  induc¬ 
tion  on  the  structure  of  its  derivation. 

4.1.  Natural  Transition  Semantics 

A  traditional  transition  semantics  for  an  impera¬ 
tive  programming  language  defines  transitions  between 
configurations  that  involve  memories  and  terms  of  the 
language  [3].  Here  we  define  transitions  between  par¬ 
tial  derivation  trees  which  represent  partial  derivations 
in  the  natural  semantics. 

Partial  derivation  trees  are  defined  as  follows.  First, 
we  add  to  the  complete  judgments  fi  b  e  =>•  n  and 
p  \-  c  =>•//,  a  new  kind  of  judgment  called  a  pending 
judgment  which  has  the  form 

pi  h  p  =>? 

where  p  is  a  phrase.  Then  partial  derivation  trees  are 
defined  inductively: 

1.  [p  \-  e  =>•  n\ ,  [p  b  c  =>•  p'\  and  jihp=t?]  are  par¬ 
tial  derivation  trees. 

2.  if  P  is  a  predicate,  then  [P]  is  a  partial  derivation 
tree. 

3.  if  Ti,...,Tn  are  partial  derivation  trees,  then 
[/<|-e=>  n\(Ti,  ...,Tn),  [/ihc=>  p'](Ti,  .  .  . ,  Tn), 


and  [p  hp=>  ?](Ti,  .  .  . ,  Tn)  are  partial  derivation 
trees. 

For  example,  [p  b  /  =>•  p(l)]([l  £  dom(p)])  is  a  partial 
derivation  tree.  We  say  that  a  partial  derivation  is  com¬ 
plete  if  it  has  no  subtree  rooted  at  [p  b  p  =>•  ?].  Every 
complete  derivation  tree  is  a  partial  derivation  tree. 
We  let  I,  J,  and  K  range  over  complete  derivation 
trees  and  T  over  partial  derivation  trees. 

Rules  of  the  natural  transition  semantics  for  expres¬ 
sions  and  the  while  and  try  commands,  are  given  in 
Figures  5,  6,  and  7.  We  use  m,  j,  and  k  in  the  rules 
as  indices  that  start  at  zero.  Transition  rules  have 
been  omitted  for  the  other  commands  since  their  for¬ 
mulation  from  the  natural  semantics  is  similar.  Let 
— >*  be  the  reflexive  and  transitive  closure  of  — >, 
that  is,  T  — T,  for  any  T,  T  T'  if  there  exists 

T"  such  that  T  T"  and  T" - >■  T' ,  and  T - A  V 

if  T  T'  for  some  k  >  0. 

The  transition  rules  also  include  a  rule 
(congruence)  which  allows  execution  of  compound 
phrases: 

_ T  — »  T' _ 

\p\-  p=^  ?](Ji,...,  Jn,T) - > 

[M  I-  P  =>  ?](7 1,  •  ..,Jn,T') 

It  allows  the  semantics  to  “scale  up” : 

Lemma  4.1  Suppose  that  T  and  T'  are  partial  deriva¬ 
tion  trees,  n  >  0,  and  k  >  0.  Then  T  — T'  iff 

[p\-  p=^  ?](/!,...,  J„,T)  -—>■ 

[M  I-  P  =>  ?](7 1,  •  ..,Jn,T') 

Proof.  Both  directions  can  be  proved  by  induction  on 
k,  using  rule  (congruence).  The  (if)  direction  re¬ 
quires  observing  that  if  T  — U  T'  then  the  number  of 
children  of  the  root  of  T'  is  at  least  that  of  the  root  of 
T,  and  if 

T  — [Aihp=>?](Ti,...,rm) 
for  m  >  0,  then  T  is  rooted  at  [p  b  p  =>•  ?].  □ 

It  should  be  noted  that  controlling  the  lifetime  of 
locations  in  a  traditional  transition  semantics  is  tricky 
since  one  is  limited  to  transitions  between  configura¬ 
tions  involving  language  terms.  But  with  transitions 
between  partial  derivation  trees,  we  can  exploit  differ¬ 
ent  tree  structure  and  avoid  introducing  extra  infor¬ 
mation  into  configurations  like  the  number  of  “live” 
locations  [6].  The  transition  rule  that  allocates  a  loca¬ 
tion  for  an  instance  of  letvar  is  a  transition  from  a  tree 
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(t-val) 


[//  H  n  =>■  ?]  — >■  [//  H  n  =>  n] 


(t-contents)  l  E  dom(ji) 

[//  H  /  =>•  ?]  — >■  [//  H  /  =>•  //(/)]([/  E  dora(/i)]) 


(t-ADd)  [/ihe  +  e'=>?]  - >■  [//  H  e  +  e'  =>  ?]([//  H  e  =>  ?]) 


(1)  [//  H  e  +  e'  =>  ?]([//  h  e  =>•  n](Ji,  .  .  . ,  J*))  - >■ 

[//  H  e  +  e'  =>-  ?]( 

[//He  . . . ,  t/fc), 

[//  h  e'  ^  ?] 

) 


(2)  [//  h  e  +  e'  =►?]([//  h  e  =►  ra](Ji,  Jfc), 

[//He  n  ]  (K  i , ... ,  -/Hm ) 

[//  H  e  +  e'  =>•  n  +  n']( 

[//He  n]  ( Jd , . . . ,  t//;), 

[//He  n  ]  (-/Hi  7  7  Km ) 

) 


Figure  5.  Natural  Transition  Semantics  for  Expressions 


whose  root  has  exactly  one  child  to  one  whose  root  has 
exactly  three  children.  This  different  tree  structure  can 
be  exploited  in  the  rules  to  specify  in  a  more  natural 
way  when  locations  should  be  deallocated. 

We  say  that  a  partial  derivation  tree  T  is  sound  if 
for  every  node  in  T  of  the  form  [i/Hc^H],  we  have 
v  H  c  =>•  v' ,  for  every  node  of  the  form  \v  H  e  =>•  n\,  we 
have  i/He=>n,  and  for  every  node  of  the  form  [P],  P 
is  true. 

Lemma  4.2  If  T  and  T'  are  partial  derivation  trees 
such  that  T  is  sound  and  T  — >■  T' ,  then  T'  is  sound. 

Proof.  Induction  on  the  structure  of  the  derivation  of 
T - T'.  □ 

By  an  easy  induction  on  the  number  of  transitions, 
we  have  that  if  T  — >*  T'  and  T  is  sound,  then  so  is 
T' .  This  leads  to  the  following  corollary: 

Proposition  4.3  (NTS  Soundness)  If  [//  H  e  =>•  ?] 

— >*  [//He=>  n](Ji,  .  .  . ,  Jm)  then  //He=>«.  Further, 

if  we  have  [//  H  c  =>•  ?] - H  [/(Hc=>  //']( Ji ,  .  .  . ,  Jm), 

then  //  H  c  =>•  //'. 

Completeness  of  the  transition  semantics  is  given  by 

Proposition  4.4  (NTS  Completeness)  Suppose 
that  fi  H  e  =>•  n  and  that  the  judgment  has  a  complete 


derivation  tree  J .  Then  [//  H  e  =>•  ?]  — >*  J .  Further, 
if  fi  H  c  =>•  )F  and  this  judgment  has  a  complete  deriva¬ 
tion  tree  J ,  then  [//  H  c  =>■  ?]  — >*  J . 

Proof.  Induction  on  the  structure  of  the  derivation  of 
//He=>n  and  of  //  H  c  =>•  //',  using  Lemma  4.1.  □ 

4.2.  Mutual  Progress 

Next  we  establish  the  mutual  progress  property  for 
the  type  system. 

Theorem  4.5  (Mutual  Progress)  Suppose 

(a)  A  \~  c  :  p, 

(b)  v  and  //  are  memories  such  that  dom(p)  = 
dom(v)  =  dom(A), 

(c)  v(I)  =  //(/)  for  all  l  such  that  A (l)  <  r, 

(d)  [//  H  c  =>■  ?]  — H  T,  and 

(e)  T  has  a  leaf  of  the  form  [//'  H  c'  =>•  ?]  where  c'  is  a 
try  command. 

Then  there  is  a  location  typing  A'  and  partial  derivation 
tree  T'  such  that  T'  has  a  leaf  of  the  form  \v'  H  c'  =>  ?], 
[i>  H  c  =>•  ?]  — H  T' ,  A  C  A' ,  dom(p')  =  dom(vr)  = 
dom(A'),  and  //'(/)  =  v'{l),  for  all  l  such  that  A '(/)  <  r. 


(t-DIv)  [//  b  try  x  =  e  e'  in  c  =>  ?]  - >■ 

[//  b  try  i  =  e  t  e'  in  c  =>•  ?]([//  h  e  =>  ?]) 

(1)  [//  b  try  x  =  e^r  e'  in  ?]([//  He=>  n](Ai,  .  .  . ,  Am))  - >■ 

[//  b  try  i  =  e  t  e'  in  c=>?]( 

[//be  ^](Ab,  •  •  • ,  A^m), 

\M  b  e'  =>  ?] 

) 

(2)  n'  nonzero 

[//  b  try  i  =  e  t  e'  in  c  =>■?]([//  b  e  =>■  n](A'i,  .  .  . ,  Km), 

[//  b  e'  =>•  n'](Ji,  ■  ■  -  ,Jk) 

[//  b  try  i  =  e  t  e'  in  c=>?]( 

[//be  n](Ab,  •  •  •  7  Km ) , 

[//  b  e'  =>•  n'](Ji, 

[ n'  nonzero], 

[//  b  [(n  n')/x\c  =>•  ?] 

) 

(3)  [//  b  try  r=e-^e'inc=>?]( 

[//be  n]  ( A  i ,  .  .  . ,  Km ) , 

[//  b  e'  =>•  n'](Ji,  .  .  . ,  Jj;), 

[ri'  nonzero], 

[//  b  [(n^n')/*]0^/^7!*---*7.?) 

[//  b  try  i  =  e  t  e'  in  c  =>•  //']( 

[//be  n]  ( A  i ,  .  .  . ,  Km ) , 

[//  b  e'  =>•  n'](Ji,  .  .  . ,  Jfc), 

[ri'  nonzero], 

[//  b  [(n-^nO/^c^^K7!)---)7/) 

) 


Figure  6.  Natural  Transition  Semantics  for  try 
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(t-loop)  [//  H  while  e  do  c  =>•  ?]  — >■ 

[fi  H  while  e  do  c  =>•  ?]([//  h  e  =>  ?]) 

(1)  [fi  H  while  e  do  c  =>  ?]([//  he=>  0](Ji,  .  .  . ,  Jfc))  - >■ 

[fi  H  while  e  do  c  =>•  //]([//  H  e  =>•  0](Ji,  .  .  . ,  J/,)) 

(2)  n  nonzero 

[//  H  while  e  do  c=>  ?]([/(  h  e  =>  n](  Ji ,  .  .  . ,  J/,))  — >■ 

[//  H  while  e  do  c  =>■  ?]( 

[//He  .  .  . ,  t/fc), 

[n  nonzero], 

[flh  ?] 

) 

(3)  [//  H  while  e  do  c=>?]( 

[//He  ^]  (  j  •  •  *7  J fc  )  j 

[n  nonzero], 

[//He  =/•  //  ]  ( K  l ,  .  .  .  ,  Krn  ) 

)^ 

[//  H  while  e  do  c  =>■  ?]( 

[//He  n]  ( Ji ,  .  .  t/fc), 

[n  nonzero], 

[//He  fi  ](Ai, . . . ,  H'm), 

[//'  H  while  e  do  c  =>■  ?] 

) 

(4)  [fi  H  while  e  do  c  =>•  ?]( 

[//He  n[(Ji ,  .  .  .,  t/fc), 

[n  nonzero], 

[//  H  c  =>•  //'](AH,  .  .  . ,  K/), 

[fi1  H  while  e  do  c  =>•  //7/]  (Zi ,  ,Im) 

)7- 

[//  H  while  e  do  c  =>•  //"]( 

[//He  n]  ( Ji ,  .  .  .,  t/fc), 

[n  nonzero], 

[//  H  c  =>•  //'](Ai,  .  .  . ,  Kj), 

[fi'  H  while  e  do  c  =>•  //7/]  (Zi ,  ...  ,Im) 

) 


Figure  7.  Natural  Transition  Semantics  for  while 
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Proof.  Induction  on  the  number  of  transitions  in 
\p  b  c  =>  ?]  — b  T.  Aside  from  the  basis,  we  show  only 
one  case,  namely  (t-LOOp).  It  is  a  good  representative 
case  because  it  illustrates  the  key  steps  one  needs  in 
order  to  prove  the  theorem  for  all  other  rules  of  the 
transition  semantics. 

For  zero  transitions,  we  have 

[/i  h  c  =>  ?]  — A  [/J  h  c  =>  ?] 

where  c  is  a  try  command.  Let  A'  =  A  and  we’re  done 
by  hypotheses  ( b )  and  (c). 

Now  suppose  c  is  while  e  do  c" .  There  are  two  sub¬ 
cases  to  consider  here.  They  correspond  to  whether  the 
leaf  of  hypothesis  (e)  arises  before  or  after  c  has  made  a 
transition  according  to  rule  (t-LOOp)(3).  First  we  con¬ 
sider  the  case  when  it  arises  before.  Since  commands 
are  not  expressions,  we  have,  by  hypotheses  ( d )  and 
(e),  that  c"  contains  a  try  command  c', 

[p'r  c  =b  ?]  — ?]([/!  he=>?])  — A 

I -  c  =►  ?](Ji) 

where  J\  is  a  complete  derivation  tree  rooted  at 
[(i  h  e  =>  »]  and  n  is  nonzero,  and  finally  that 

\p  \~  c  =>  ?](Ji)  — > 

[/ihc=>  ?](Ji,  [ n  nonzero],  [fi  b  c"  =>•  ?])  — A 
[(ihc=>  ?](Ji,  [n  nonzero],  T) 

where  T  contains  a  leaf  of  the  form  [fi'  h  c'  =>  ?]. 

By  rule  (t-LOOp),  we  have 

[n  b  c  =>  ?]  - >■  [i/bc=>  ?]([p  b  e  =>  ?]) 

Now  we  have  A  b  e  :  t'  and  dom(v)  =  dom( A),  so  there 
is  an  integer  n'  such  that  v  b  e  =>•  n' ,  by  Lemma  3.7. 
Suppose  this  judgment  has  a  complete  derivation  tree 
J[  rooted  at  [v  b  e  =>•  n'\.  By  completeness  of  the  tran¬ 
sition  semantics, 

[v  b  e  =>  ?]  - b  J[ 

At  this  point,  we  need  to  show  that  execution  of  c  does 
not  proceed  with  a  transition  by  rule  (t-LOOp)(1)  since 
this  rule  cannot  lead  to  a  derivation  tree  with  the  de¬ 
sired  leaf. 

We  have  A  b  e  :  r'  and  r'  is  minimum  by  the  typing 
rule  (while).  So  A (/)  <  r'  for  every  /  in  e  by  the  simple 
security  lemma.  Also,  r'  <  r  since  t'  is  minimum.  So 
A(/)  <  t  for  every  l  in  e,  and  thus  v(l)  =  fi(l)  for  every 
l  in  e,  by  hypothesis  (c).  Further,  by  soundness  of  the 
transition  semantics,  fi  b  e  =>•  n.  Thus,  n’  =  n  by 
Lemma  3.6.  So  n’  is  nonzero  and  we  then  have  by  rule 
(t-LOOp)(2)  and  Lemma  4.1,  that 

[i/bc=>  ?]([p  b  e  =>  ?])  - b 

[i/  b  c  =>  ?](J(,  [n'  nonzero],  [v  b  c"  =>•  ?]) 


Now  by  Lemma  4.1, 

[p  b  c"  =>  ?]  — b  T 
and  so  by  induction, 

[v  b  c"  =>  ?]  — V 

T’  has  a  leaf  of  the  form  \v’  b  c'  =>•  ?]  and  there  is 
a  location  typing  A'  such  that  A  C  A',  domin')  = 
rfom(p')  =  dom( A'),  and  v'{l)  =  //(/)  for  all  l  such 
that  A '(/)  <  r.  Finally,  by  Lemma  4.1  again, 

[i>  b  c  =>•  ?](J(,  [n'  nonzero],  [v  b  c"  =>•  ?])  — b 
[io  b  c  =>•  ?](J(,  [n1  nonzero],  Tr) 

Now  consider  the  case  when  the  leaf  arises  after  the 
while  command  has  made  a  transition  according  to 
rule  (t-loop)(3).  Suppose  that 

[^bcb?]  - b 

[/ibc=>  ?](Ji,  [n  nonzero],  J2,  [p'  b  c  =>  ?])  - b 

[fi  b  c  =>•  ?](Ji,  [n  nonzero],  J2,  T) 

where  Ji  is  a  complete  derivation  tree  rooted  at 
[/ib  e  =>  n],  such  that  n  is  nonzero,  J2  is  a  complete 
derivation  tree  rooted  at  [//  b  c"  =>•  /i'],  and  T  has  a 
leaf  of  the  form  [fi11  b  c'  =>?]. 

By  Lemma  3.7,  v  b  e  =>•  n'.  Suppose  this  judg¬ 
ment  has  a  complete  derivation  tree  J[  rooted  at 
[v  b  e  =>•  n'].  We  also  have  A  b  e  :  r'  where  r'  is  mini¬ 
mum  by  typing  rule  (while).  So  by  the  simple  security 
lemma  and  hypothesis  (c),  v(l)  =  fi(l)  for  every  l  in  e. 
Thus,  n'  =  n,  by  Lemma  3.6,  and  so  n'  is  nonzero. 

By  the  soundness  of  the  transition  semantics,  we 
have  fi  b  c"  =>•  fi' .  So  by  the  termination  agreement 
theorem,  there  is  a  v'  such  that  v  b  c"  =>•  v'  and 
v'{l)  =  li'(l)  for  all  l  such  that  A (/)  <  r.  Suppose 
this  judgment  has  complete  derivation  tree  J2  rooted  at 
[v  b  c"  =>•  v'\.  By  the  completeness  of  the  transition  se¬ 
mantics,  Lemma  4.1,  and  rules  (t-loop),  (t-loop)(2) 
and  (t-LOOp)(3),  we  have 

[v  b  c  =>•  ?]  — 

[i/  b  c=>  ?](J{,  [n'  nonzero],  J2,  [;/  b  c  =>•  ?]) 

Now  by  Lemma  4.1, 

[/j'bc^  ?]  — b  T 

By  Lemma  3.5,  and  since  dom(fi)  =  dom(v)  =  dom( A), 
we  have  dom(fi')  =  domin')  =  dom(X).  Thus,  by  in¬ 
duction, 

[n1  b  c  =>-  ?]  — b  T' 

T'  has  a  leaf  of  the  form  [v"  b  c'  =>•  ?]  and  there  is 
a  location  typing  A'  such  that  A  C  A',  dom{fi")  = 
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dom(v")  =  dom(X')  and  v"(l)  =  p"(l)  for  all  l  such 
that  A'(7)  <  r. 

Finally,  by  Lemma  4.1, 

[i/  b  c  =>  ?](J(,  [ri'  nonzero],  J'2,  [v'  b  c  =7  ?])  — C 
[i/  b  c  =>  ?]( J( ,  [n7  nonzero] ,  J2,  Tr) 

and  we’re  done.  □ 

Notice  in  the  proof  that  we  have  the  guard  of  a 
while  command  evaluating  to  the  same  value  under 
p  and  v  since  the  command  is  typed  minimally  by  rule 
(while).  The  proof  also  needs  the  guard  of  a  condi¬ 
tional  to  evaluate  to  the  same  value  under  p  and  v,  yet 
rule  (if)  does  not  require  a  conditional  to  be  minimally 
typed.  Nevertheless,  it  will  be  minimally  typed  due  to 
hypotheses  (a)  and  (e)  of  the  theorem,  and  Lemma  3.8. 

The  mutual  progress  theorem  tells  us  that  if  exe¬ 
cution  of  a  command  c  in  a  memory  p  depends  on 
executing 

try  x  =  e  -P  e'  in  c' 

in  some  memory  p' ,  then  c’s  execution  in  v  also  de¬ 
pends  on  executing  the  try  command  in  some  mem¬ 
ory  v' .  Furthermore,  we  have  that  A;  7  b  e'  :  r,  for 
minimum  type  r,  since  c  is  well  typed.  The  theo¬ 
rem  gives  us  a  typing  A'  that  contains  A,  and  hence 
A';|  b  e'  :  r.  The  theorem  also  tells  us  that  v'  and 
p'  agree  on  all  locations  in  the  domain  of  A'  with  min¬ 
imum  type.  Thus  either  both  executions  proceed  (e7 
evaluates  to  the  same  nonzero  integer  in  p'  and  v')  or 
both  get  stuck  (e7  evaluates  to  zero  in  p'  and  v'). 

5.  Our  Third  Covert-Flow  Theorem 

Looking  at  the  mutual  progress  theorem  more 
closely,  if  execution  of  a  command  c  gets  stuck  under 
a  memory  p,  then  its  execution  also  gets  stuck  under 
any  other  memory  v  that  agrees  with  p  on  locations  of 
minimum  type.  This  says  that  executions  of  c  under 
memories  that  differ  only  on  locations  of  nonminimum 
type  cannot  be  distinguished  on  the  basis  of  abnormal 
termination  versus  nontermination.  But  the  number  of 
steps  c  takes  under  p  and  v  may  differ. 

Consider  a  well-typed  composition  c;  c'  where  c  con¬ 
tains  a  conditional,  with  a  nonminimum  guard,  and 
only  c'  contains  a  try  command.  Then  although  c'  may 
get  stuck  under  p  and  v,  more  steps  may  be  needed 
to  do  so  under  one  memory  than  under  the  other  due 
to  different  execution  paths  taken  by  the  conditional 
in  c.  (Remember  that  conditionals  with  nonminimum 
guards  can  still  be  typed  minimally  by  subtyping.)  As 
long  as  conditionals  are  not  typed  minimally,  we  can¬ 
not  say  that  if  execution  of  a  well-typed  command  c 


gets  stuck  after  k  steps  under  p,  then  it  does  so  after 
k  steps  under  v  as  well. 

As  our  final  covert-flow  theorem,  we  prove  a  timing 
agreement  theorem  for  a  more  restricted  type  system. 
The  restricted  system  is  the  original  type  system  with 
rule  (if)  changed  so  that  r  is  required  to  be  minimum. 
Assume,  hereafter,  that  b  now  refers  to  the  more  re¬ 
stricted  system. 

First  we  need  two  lemmas: 

Lemma  5.1  If  p  and  v  are  memories,  dom(p)  = 

k 

dom{v )  and  [/1  b  e  7  ?]  — >■  [/a  b  e  =7  n](  Ji ,  .  .  . ,  Jn), 
then 

[v  b  e  ?]  [v  b  e  ...,J'n) 

Proof.  Straightforward  induction  on  k,  using 
Lemma  4.1.  □ 

The  next  lemma  is  a  stronger  form  of  termination 
agreement  (Theorem  3.1)  for  the  more  restricted  type 
system.  It  does  not  hold  if  conditionals  are  not  mini¬ 
mally  typed. 

Lemma  5.2  Suppose  A  b  c  :  p,  p  and  v  are  memories 
such  that  dom(p)  =  dom(v)  =  dom(X),  fi(l)  =  v(l)  for 
all  l  such  that  X (l)  <  r,  and 

[p,  b  c  ?]  [fibc7  //]( Ji ,  •  •  • ,  Jn) 

Then  we  have  [v  b  c  =7  ?]  — ^  [v  b  c  =7  i/](J(,  .  . . ,  J'n) 
and  v'{l)  =  pf  (l)  for  all  l  such  that  X (l)  <  r. 

Proof.  Induction  on  k,  using  Lemmas  4.1  and  5.1.  □ 

Theorem  5.3  (Timing  Agreement)  Suppose 

(a)  A  b  p  :  p, 

( h )  v  and  p  are  memories  such  that  dom(p)  = 
dom{v)  =  dom(X), 

(c)  v{l)  =  p(l)  for  all  l  such  that  X (l)  <  r, 

(d)  [p  b  p  =7  ?]  T,  for  k  >  0,  and 

(e)  T  has  a  leaf  of  the  form  [p'  b  p'  =>  ?]. 

Then  there  is  a  location  typing  X'  and  partial  derivation 
tree  T'  such  that  T'  has  a  leaf  of  the  form  \v'  bp'  =>  ?], 

[v  b  p  =7  ?]  — ^  T' ,  X  C  A',  dom(p')  =  dom{v')  = 
dom( A'),  and  p'(l)  =  v'{i),  for  all  l  such  that  X '(/)  <  r. 

Proof.  Induction  on  k,  using  Lemmas  4.1  and  5.2.  □ 
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class  TimingChannel  implements  Runnable  { 

boolean  val  =  false; 

TimingChannel () 

throws  InterruptedException  { 
new  TimeSlicer (5) ; 
new  Thread(this) . start () ; 
try  Thread. sleep(2) ; 
finally; 

System. out .println("val  =  true"); 

} 

public  void  run()  { 
double  x; 
if  (val) 

for  (int  i  =  0;  i  <  64;  i++) 
x  =  Math. exp (Math. PI)  +  i; 

System. out .println("val  =  false"); 

} 

public  static  void  main(String  args  []  ) 
throws  InterruptedException  { 
try  new  TimingChannel () ; 
finally ; 

} 

} 

Figure  8.  Timing  Channel  with  Java  Threads 

Clearly  timing  agreement  is  a  stronger  property  than 
either  termination  agreement  or  mutual  progress.  But 
the  cost  for  this  added  strength  is  a  much  more  restric¬ 
tive  typing  rule  for  conditionals.  Though  it  might  be 
argued  the  rule  is  impractical  for  writing  systems  soft¬ 
ware  or  TCB  source  code,  it  may  be  the  kind  of  rule 
that  should  be  used  in  writing  “Web  programs”  like 
Java  Applets.  The  reason  is  that  with  threads,  timing 
differences  become  quite  easy  to  observe  from  within 
programs. 

For  example,  take  the  Java  program  in  Figure  8. 
The  idea  is  that  we  want  to  determine  the  contents  of 
the  boolean  variable  val  by  setting  up  two  compet¬ 
ing  threads.  The  main  thread  creates  another  thread, 
the  TimingChannel  thread,  whose  run  method  checks 
whether  val  is  true,  doing  some  computation  if  it  is  and 
nothing  otherwise,  except  print  a  string.  Notice  that 
the  run  method  does  not  have  any  illegal  implicit  flows 
in  the  sense  of  Denning’s  program  certification  [2,  9]. 
There  is  a  third  thread,  called  the  TimeSlicer,  which 
is  a  daemon  thread  running  at  a  higher  priority.  It  re¬ 
awakens  every  five  milliseconds  and  immediately  goes 
back  to  sleep  which  guarantees  round-robin  schedul¬ 
ing  among  the  other  two  threads.2  After  creating  the 
TimingChannel  thread,  the  main  thread  sleeps  for  two 
milliseconds.  If  it  awakens  before  the  TimingChannel 

2 The  timeslicer  was  needed  because  our  example  was  devel- 
oped  using  Solaris  JDK  1.02  which,  unlike  the  JDK  for  Windows 
NT,  does  not  schedule  threads  in  a  round-robin  fashion. 


thread  completes,  then  the  first  string  output  will  be 
val  =  true,  otherwise  it  will  be  val  =  false.  The 
first  string  usually  reflects  the  variable’s  contents  accu¬ 
rately.  This  is  not  a  completely  reliable  way  of  getting 
the  contents  due  to  thread  scheduling  variations,  but 
it  works  often  enough. 

So  it  seems  that  conditionals  should  also  be  typed 
minimally.  But  this  may  not  be  the  best  way  to  deal 
with  them.  After  all,  unlike  the  earlier  Java  examples, 
threads  here  seem  to  have  a  critical  role.  Perhaps  with 
a  proper  treatment  of  threads,  conditionals  won’t  need 
to  be  typed  so  restrictively. 

6.  Conclusion 

The  idea  of  analyzing  source  code  for  covert  infor¬ 
mation  flow  is  not  new.  He  and  Gligor,  for  example, 
informally  describe  analyzing  TCB  source  code  for  such 
flows  [4].  Others  have  recognized  the  need  to  augment 
Denning’s  original  secure-flow  certification  with  rules 
that  deal  with  global  flows  arising  from  loops  and  pos¬ 
sibly  nonterminating  programs  [1,  5].  But  these  efforts 
provide  no  formal  specification  nor  proof  of  the  proper¬ 
ties  that  are  guaranteed  to  hold  for  programs  that  pass 
the  analyses.  In  contrast,  we  have  given  a  rigorous  ac¬ 
count  of  various  properties  that  a  program  has  if  it  is 
typeable  in  our  covert-flow  type  system. 
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